Re: Granting all users Admin Rights

From: JB Fields (jbfields3@hotmail.colm)
Date: 05/23/02 

From: "JB  Fields" <jbfields3@hotmail.colm>
Date: Thu, 23 May 2002 11:59:30 -0400

"Leo" <boeglinl001@hawaii.rr.com> wrote in message
news:467201c1fdc9$b38f4790$b1e62ecf@tkmsftngxa04...
> Rob,
> You are exactly correct!! Stand firm!
> I am an Information Systems Security Officer for the
> Army. I am responsible for the upkeep and security of 50
> computers in my unit and have the exact same issues.
> Standard users can do everything they need without admin
> rights. You stated it exactly right, keeping them out of
> the admin profile will prolong your computers life! I
> know from experience.
> Leo
>
> >-----Original Message-----
> >Hello All,
> >
> >I am currently the network manager at a small college
> with about 250
> >faculty and staff compuers(1500 students). I am in the
> middle of
> >implementing a windows 2000 domain. The network is
> currently peer to
> >peer workgroups with win95, 98 and 2000 clients. In the
> process of
> >building the domain, I am also trying to get every client
> onto windows
> >2000 so I can take advantage of the many features it
> allows in
> >conjunction with active directory. The most important
> thing to me
> >since I am starting from scratch is setting up rules and
> guidelines
> >for the users of the network. My background before
> working here was
> >working at a high-tech engineering company.
> >
> >Recently I have hit a snag with the management here where
> we cannot
> >agree on whether or not users should be allowed local
> administrative
> >rights on their machines. In my last company I was
> forced to give
> >admin rights to most users so they could develop and
> install hardware
> >on their local machine. I don't really see the need for
> the rights
> >here, but the people making the executive decisions
> disagree with me.
> >I am curious to know how other colleges or academic
> institutions deal
> >with this issue. It is my opinion that people should not
> need admin
> >rights as a function of their job and any software
> installations
> >should be routed through IT. The people making the
> decisions feel
> >that restricting rights would infringe upon adademic
> freedom.
> >
> >I see several problems with granting a regular user admin
> rights. The
> >main reason is that system files become accessible and
> could be
> >corrupted very easily by accidental clicks, viruses,
> etc... I also
> >want to be able to control the licensing of software, and
> want to keep
> >the shareware to a minimum. Not having admin rights
> greatly reduces
> >their ability of screwing things up on the machine. It
> also increases
> >the security of each machine by knowing that many
> services can't be
> >inadvertantly disabled or uninstalled.
> >
> >The users that I am referring to are all Faculty and
> Staff. Each
> >person has a machine in their office to use. We are not
> an
> >engineering school or anything like that, and only have a
> few teachers
> >who teach computer related fields.
> >
> >If some people could give their feelings on this it would
> be greatly
> >appreciated. I apologize if some of you feel this isnt
> the right
> >newsgroup, but to me this seems like a security issue.
> Mainly my
> >question is asking how other groups handle this? Should
> we give in
> >and grant rights to everyone, or is it important to stand
> firm on my
> >own opinion.
> >
> >Thanks in advance
> >Rob
> >.
> >

How about offering them the chance to request a local admin account when
they need one? Then turn on an adm-username account with an expiration time
that you all agree on.

At the very least, get them to use a separate account for softward
installations and maybe one that has no e-mail profile configured.

I would stress to them the possibility that they would not want an e-mail
virus that comes in to be operating under the context of their regular
username with admin privileges. Do they really want their names on the
audit log entries of a virus exploring the network?

JB Fields, MCSE, MCT, CTT+, A+
Mantech Security Technologies Corp.

Relevant Pages

  • Re: New to SMS - have a Collections question.
    ... I loaded the SMS Admin Console on the ... comprimise the security of the servers. ... SMS security is a bit different from normal Windows security. ... Access to objects is based on Security Rights (if you scroll down the list ...
    (microsoft.public.sms.admin)
  • Re: New to SMS - have a Collections question.
    ... local admin of both the SMS server and the server the database is on. ... However this is a security problem. ... Access to objects is based on Security Rights (if you scroll down the ...
    (microsoft.public.sms.admin)
  • Re: Granting all users Admin Rights
    ... I am a Network Admin for Cuesta College and we are dealing with the same ... Techs to go to install every little piece of software on users computers. ... I believe that giving users Power Users rights is the best way ...
    (microsoft.public.win2000.security)
  • Re: Impact of removing administrative rights in an enterprise running XP
    ... the network admin is "Admin" of the network... ... they should only have/need the appropriate rights for their role in the firm. ... reporting mechanisms for software/patch installations whatsoever. ...
    (Focus-Microsoft)
  • Re: Printer Problems
    ... he had the user rights to disable ... (default install behavior on xp), and it failed because DeskJet needs it ... If you create another admin on that system, you could see the problem again, ... > I manage a small network at a downtown Denver hotel. ...
    (microsoft.public.windowsxp.help_and_support)